How can we get report if there is any change in ArcSight?
Just need one help, I want to pull report from ArcSight if there is any change in Configuration or user creation or deletion need your help how can i get that report or logs.
You can enable extended audit settings in the ArcSight server.properties file and specify the resources that are included by using the option.
(The manager must be restarted for the changes to take effect)
This will then generate ArcSight audit events for the resources specified. These events can then be used in rules, reports dashboards etc....
For example, to audit all changes to rules you would specify
or to audit changes to a specific folder of rules
You can do this for any type of resource and then look for the audit events associated with it. Here are a few more examples... notice that multiple resource URIs are comma separated.
resource.audit.update.uris=/All Rules,/All Users/Administrators,/All Active Lists/foo/bar
This would audit all Rule resource changes, all changes to user resources in the Administrators folder and all changes to active lists in the subfolder of foo/bar
For example, the audit event that is generated from including /All Rules would generate an audit event when a rule resource is updated (configuration changed)
deviceProduct = ArcSight
sourceUserId = 45mid0ndjndmj83== (the Arcsight ID of the user)
destinationUserName = username
deviceEventClassId = resource:101
deviceCustomString2 = the resource URI that was edited.
There are a lot more fields that are populated on the event but hopefully this gives you enough information to go and explore those events and build some useful content / reports!
Let me know if you have any issues!
You can find additional audit settings for specific resources in the server.defaults.properties file. This is usually located in $ARCSIGHT_HOME/manager/config/server.default.properties